ISO 27001 CONSULTANCY

Drive Continual Improvement

Use the ISO 27001 standard to drive secure and confidential management of data and information in your organisation.

ISO 27001

ISO 27001 provides the most comprehensive approach to managing Information Security to a recognised international standard. Certification against the Information Security Standard has doubled in the past five years, in line with an increasing number of Information Security incidents that are occurring in organisations every day.

Onsite Consultancy

Our onsite ISO Consultancy services provide you with the tailored support you need to achieve your goals for ISO Certification. Benefit from our insights to build an information security management system that delivers the outcomes you need. We bring clarity to ISO 27001 so that you develop your existing good practices into a highly effective information security management system.

What is the ISO 27001 Information Security management standard?

ISO 27001 is the internationally recognised standard for Information Security management. The purpose of the Information Security management system is to enable organisations to:

meet desired outcomes on data confidentiality, integrity and availability and incorporate them into organisational goals

address the actual and potential information security risks and opportunities faced by the organisation

provide regulators with assurance that you comply with Information Security legislation and other requirements that relate to security, such as data protection and GDPR

ISO 27001 is written as a generic standard and provides a management framework for an organisation to manage and improve Information Security performance. From a baseline determined within a Statement of Applicability, ISO 27001 helps an organisation integrate sensible and effective controls into its day-to-day processes to preserve the confidentiality, integrity and availability of information.

Benefits of ISO 27001 Information Security management

The need for effective Information Security management has never been greater. The UK National Cyber Security programme reported in March 2019 that:

The government’s 2018 Cyber Security Breaches Survey indicated the mean direct cost to businesses where a cyber breach had taken place was £1,230, although this rose to £9,260 for large companies

72% of large UK companies reporting a cyber-attack in the previous 12 months, with 9% of those reporting multiple attacks per day

1,100+ number of cyber security incidents had been dealt with by the National Cyber Security Centre since its formation in October 2016

At the same time, there are growing opportunities to access markets online. With growing digital connectivity, just in the UK alone, there are 90% of UK households with internet access in 2018, compared with 77% in 2011.

The benefits of introducing an Information Security management system include:

The ability to differentiate your service from competitors

The ISMS standard provides a recognised framework for addressing legal requirements and ensuring you comply

Supporting workers and contractors with training and information to make them more aware of threats

The ability to manage cyber attacks and reduce the impact of them

Ensuring your assets are being used effectively and prevent risks of malicious attacks

A proactive approach to managing your IT assets and systems

Managing Information Security

ISO 27001 focuses the attention of the organisation on Information Security risks and seeking to eliminate them. There are several key areas which will be managed, including:

Asset management

Data classification and control

Access control to information and networks

Compliance to legal and other requirements

Physical and environmental security

System acquisition, development and maintenance

Communications and operations management

Business continuity and disaster recovery management

The ISO 27001 standard requires an organisation to define its scope of management through an extensive 'Statement of Applicability'. This scoping exercise serves as a useful boundary that will help decide which activities will be covered in the system.

The detailed methods for managing the information security hazards and risks will be realised through the operation of the system; from initial identification and prioritisation, through to setting objectives and defining arrangements.

Whilst many organisations will carry out these activities as a matter of course, the level of governance provided by an ISO 27001 Information Security management system will lead to systemic and organised improvement on Information Security performance over time

Interaction with other systems (e.g. environmental management)

Disciplines within Information Security management will overlap with those from other standards.

Procedures and instructions written for IS management will benefit workers and contractors in the quality of output they provide, by providing access to the correct information at the point they need it. As well as access to data, workers will be able to access physical sites and resources securely and be protected from threats.

ISO 27001 supports an organisation planning for business continuity, in that the aspects of risk arising from significant disruptive events can be prepared and actions put in place to manage disaster recovery. Information Security planning can be applied to the actions that take place during disaster recovery; for example, introducing or replacing networks or hardware, managing access controls and finally transitioning back to normal working conditions.

Plan-Do-Check-Act

Information Security management, as all the ISO management systems, has adopted the PDCA cycle as the basis of continual improvement. Organisations don’t have to be perfect in order to have an effective Information Security management system, but the expectation of the ISO standard is that you can demonstrate the journey your organisation is taking. Over time, your capabilities and effectiveness will improve if you critique your Information Security performance in order to improve.

In following the plan-do-check-act process, the management team will begin to improve their planning processes and develop their skills of critical assessment in regard of Information Security management. Part of this improvement will be to crystallise Information Security management objectives at a strategic and an operational level.

The Plan-Do-Check-Act process is a critical element of the management system, and each time the cycle is followed through, the capabilities of the team will get better. Tangible improvement arising will include:

Identifying opportunities for improving Information Security, particularly in identifying vulnerabilities that can arise over time

How do I get ISO 27001?

Many companies ask what they need to do to ‘get’ ISO 27001. The answer is to apply the requirements of the ISO 27001 Standard to their management systems. In many cases, a successful business will meet the requirements because they are successful.

Getting ISO 27001 is then a process of being certified. UKAS accredited Certification Bodies are the organisations that will carry out a series of audits of the Information Security management system against the ISO Standard. As a result of the audit (if the Information Security system meets the Standard) the Organisation is then awarded an ISO 27001 Certificate.

How long does it take to get an ISO 27001 certificate?

If you are beginning your journey to certification, it is easiest to consider three phases:

Developing the Information Security management Systems

Meeting the first phase of the ISO 27001 Audit Process

Meeting the second phase of the ISO 27001 Audit Process

The process of developing an Information Security management system that meets the ISO 27001 standard can take anywhere from 3 to 12 months depending on the level of maturity of the organisation. In some cases, it is simply a case of introducing some new governance processes or developing documentation, whereas in others, an organisation will need to start from scratch.

The first phase of the ISO 27001 audit process is a ‘Stage 1’ Audit, which will look at the readiness of the system, and check against the required documentation. The benefit of the Stage 1 audit is that the organisation can test out its ideas or identify gaps without risking failing. The audit will result in a report that defines the amount of work needed to be complete before the Stage 2 audit is completed.

Usually, there is a gap between the Stage 1 and Stage 2 audits of 4 weeks to 6 months, which allows the organisation to gather more data and increase its capabilities.

What does ISO 27001 cost?

Like any product or service that an organisation buys, it is important to shop around Certification Bodies and ensure that you get a level of service you want, at a price that is acceptable.

The UKAS accredited Certification Bodies are subjected to quality standards themselves and UKAS acts as Ombudsmen, which gives you assurance that any issues will be resolved appropriately.

Typically, direct audit costs are charged on a day-rate basis and the number of days will vary according to the size of the business. Companies up to 50 people can expect initial certification costs of approximately £5k, and ongoing costs of up to 2-3k per annum.

Spedan Ltd are Associate Consultants to the major ISO Certification Bodies and can help clarify your costs before you commit to one supplier.